Ethical challenges in Cybersecurity, by Mikko Hypponen



thank you very much and thank you for joining us in this session today indeed my name is Michael I've spent the last 26 years hunting hackers analyzing online attacks researching privacy and security threats and trying to protect people's online security and privacy and during those years I've learned a lot of lessons I'd like to think I've learned a lot of lessons lessons like complexity is the enemy of security meaning the more complex our systems are the harder they are to defend which of course then would immediately lead us to the conclusion that if we really want to improve our security we would be simplifying our systems so with every new release of every new operating system we would have less features not more less features and every new app and every new version of an app or an application would remove functionality instead of adding new functionality but as we all know that is not what is happening we are adding complexity and layers of new functionality and new protocols all the time which basically means we are setting ourselves up for failure we are seeing this not just in our traditional computing systems but we are now seeing this also in the world of IOT the wonderful world of Internet of Things so when we think about ethics in this space ethics in cybersecurity well we can either think about the ethics of the hackers or ethics of the defenders and there are implications on both sides because not all hackers are the same this conception that organizations often have when they start defending their network against attackers is that you know evil hackers are trying to break into our systems and we have to defend that is not a very youthful view you have to really look beyond the one definition of a hacker because we have completely different kinds of attackers who are targeting different targets different organizations for different reasons for different motivations and they use different technologies in their attacks there is no one group some hackers are good hackers white hat hackers people who break security to improve security and they clearly have ethics to consider things like responsible disclosure when you find a vulnerability and you report it to the vendor and they are not fixing it how soon can you tell the world about it things like that then we have purely criminal attackers the ones who are making money with their attacks and they don't need ethics in their line of work they don't care about ethics they break the rules they break the laws and we can't expect any ethics from them another attacker group are hacktivists the ones who are not trying to make money with their attacks the ones who are trying to protest with their attacks or who have a political motive and they have some level of ethics in their work at least some of them do they think about what is a valid target for an attack things like that and then we have government government doing offensive action on the internet with so a great example of that during the presidential elections in the United States and we have seen well we have investigated cases that we link back to over 20 different governments so this is this is has become the norm governments hack and what kind of ethics do they use when they hack or do they use any ethic it's a great question at least some consideration is put into the development of cyberweapons let's take an example that we all know Stuxnet Stuxnet found in 2010 developed together with the United States National Security Agency in cooperation with the unit 8200 from the Israel Defense Forces we all know the story it's beautifully written by USA and Israel targeting a nuclear facility in Iran except we can prove that the deniability is strong cyber weapons are very useful for is intelligence agencies and militaries because they are first of all effective second affordable third deniable effective affordable deniable great combination especially the deniability bar part so even though we all know it was USA in Israel they can still denied and they are actually are still denying it today so that's the ethics of the attackers and in Stuxnet the ethics show themselves in a piece of code which is say a kill switch Stockton's is an example of a self-replicating piece of cyber weapon but it doesn't work forever stocks it was released in 2009 it did its damage in 2010 Stuxnet stopped all operations in the summer of 2012 it had a pre-programmed kill death I believe June 2nd 2012 something like that after that day it simply does not work if you if I give you a USB stick infected with the stocks at work today and you put it into your computer nothing's gonna happen unless you set your date back to 2010 or something like that nothing's gonna happen so they were thinking about this sort of like building landmines which automatically stop operations after two or three years assuming that the crisis is over in two or three years this is what they were thinking when they were putting this kill date inside Stuxnet and that's to me an example of ethical thinking applied to the development of cyber weapons which is interesting so what about the ethics of the defenders I'm a defender I work for a company which does this kind of work one way we do defense is that we break into your network and then we tell you how we did it you can actually hire us to do that and when we do that we use exactly the same kind of methods that real criminals do but of course we're not criminals we do it with a permission you can even hire us to break into your offices physically and we do that as well but of course we're not criminals we do it with the permission and then we can tell you how we did it and these kinds of penetration testing rehearsals of course require strict ethics from our employees because they now have the skills they could use for bad with great power comes great responsibility the famous quote from the spider-man movie applies to us as well and security software is running at very high access level in our computers if you look at typical client security or antivirus application running on your windows or OSX computer it's running as administrator or root it can do anything it wants on your computer and to defend your computer from attacks and malware they actually collect surprisingly large amounts of information do you know what kind of information you are on divorce product collects from your computer and sent back to the vendors most of you do not know because most of the vendors do not publish this in fact I believe as far as I know we are the only under virus vendor who which has actually published exactly what information we collect and how we collect it and how we analyze it before we send it to our back ends for analyzes and this is something I'm calling for the rest of the industry to get their act together we need to be able to show to our customers exactly what we do on their machines we we have very high level of access on their machines to be able to protect them I also call for security companies to be more clear in their end-user license agreements our agreements aren't perfect of course they're not but they're pretty good when you look for example look at our privacy principles for our VPN products they're very easy to read anybody can understand what we're saying so when you cut down the amount of legalese when you restrict how much junk your lawyers can put into your end-user license agreements you end up with license agreements that actually are understandable so you might have heard the saying that data is the new oil and this is absolutely true data is the new oil perfect example of this is well one of the sponsors of this event Google because we all use Google we all make searches on Google or watch videos on YouTube or use Gmail or Google Apps for Google Docs and none of us paste an assent yet somehow Google last year made 80 billion in revenue 20 billion in profit data is the new oil clearly it is and just like oil brought the mankind prosperity and problems oil will drink well oil brought us prosperity and problems data will bring us prosperity and problems as well oil brought us problems like global warming or oil leaks and if you're working with data well you have to worry about data leaks data is also a liability and this doesn't just apply to technology companies because today all companies are software companies every single company is a software company you look at you know car companies what are cars cars are data centers in four weeks that's what they are every company is a software company and this means that every company today has to think about security engineering and every company today has to think about ethics in cybersecurity thank you very much [Applause]

1 thought on “Ethical challenges in Cybersecurity, by Mikko Hypponen

Leave a Reply

Your email address will not be published. Required fields are marked *